Web apps are great; we all use them. Yet they represent one of the top security threats to businesses. Hackers compromise them to get to valuable data such as credit cards or to gain access to corporate networks and steal data, like personal data and corporate IP which commands high prices on the black market. According to the mobile security study by NetEnrich, 42% of enterprise organizations said they suffered the loss of key corporate data from mobile devices. Just as troubling, of the top one million websites analyzed by Mozilla, a vast majority failed to implement basic security measures.
Clearly, MSPs and MSSPs must be able to offer their clients a solution that prevents web application attacks. It’s not that their clients are ignoring the need to properly secure web applications, but that the very nature of web technology makes it a difficult beast to tame. First, web applications living behind company web sites are accessible by the broad public, not just employees within the company in a secure environment. deliver the features users expect of today’s web applications, dynamic source code must be used, which often doesn’t incorporate security best practices making it more susceptible to vulnerabilities.
In this article, we will look at some of the top web application threats today, along with a few strategies for service providers to stay on top of them.
Top Threats Today
Clearly, the threat landscape is changing monthly. In July, Accenture outlined persistent continuation of ransomware and phishing, cyber-espionage and DDOS-for-hire services as top areas of concern. Here’s what else we are seeing:
- Advanced persistent threats are ones in which a hacker gains access to a corporate network and stays undetected for a period of time. These breaches are typically carried out through spear phishing attacks. Phishing is commonly executed through email, when the recipient inadvertently clicks on a link they believe is from a trusted source but instead goes to a bogus website full of malware. When the code downloads to the user’s machine, it can serve as a backdoor to internal systems. Combatting such attacks requires consistent adherence to basic security measures including patching, encryption and email filtering. It’s also critical to educate employees on these threats and how to detect dangerous emails or web pages before the damage is done.
- Zero-day vulnerabilities refer to unknown flaws in web applications, which allow cyber-criminals to exploit and steal data without being detected—giving developers zero days to fix the issue once someone determines a breach has occurred. When a zero-day exploit involves the theft of sensitive customer data, all hell breaks loose as a company tries to fix the problem to prevent further leaks and manage the public response and clean-up simultaneously.
- SQL Injection flaws continue to top the list of Top 10 Security flaws reported by the Open Web Application Security Project (OWASP). A SQL Injection attack consists of insertion or "injection" of a SQL query from the client to the application, allowing a bad actor access to sensitive data from the database as well as the ability to modify database data and execute administration operations. As with zero-day exploits, this issue can be prevented by having better application-level security.
What MSPs and MSSPs Can Do
Yes, there is much to worry about when it comes to helping your clients protect their networks and systems from external hackers as well as inside attacks. First, conduct vulnerability scanning, with a focus on detection and tracking. An assessment will show you where the vulnerabilities lie and what is needed to fix them.
Encryption and firewalls are also foundational. Cryptography for web applications will help prevent visibility to sensitive data and a web application firewall that continually assesses the front and back end of web applications for security weaknesses can identify potential loopholes for cyber-criminals.
Server hardening entails going through a checklist of advanced security processes such as configuration and password updates to battle-proof servers from attackers. Security testing is also important, especially with Agile development and it’s faster development cycles. Sixty percent of respondents to a 2016 SANS survey said that they tested applications continuously, and 57% reported discovering 1 to 25 vulnerabilities per month from conducting regular testing.
Training and education to IT departments is key to protecting your clients. Staff should be aware of the major web threats identified by groups like OWASP, as well as best practices in mitigation. OWASP hosts videos on its site with useful information on prevention methods for various attack types as well as information on related security products.
The information in this article is clearly a starting point: with web applications running so much of organizations today, managed security service providers have their work cut out for them.
Your Next Steps
In closing, here are the main points to consider when advising customers on web application security and delivering services in that regard:
- Understand web application and web server configurations and vulnerabilities to make a plan personalized for each customer environment.
- Incorporate broader industry experience and insight from leading security associations and blogs that specialize in cybersecurity, such as MSSP Alert, darkreading.com and krebsonsecurity.com.
- Create an atmosphere of awareness and invest in training for both technical employees and general users to prevent security incidents from happening and learn how to quickly recover when they do happen.
Bonus: Are your customers worried about cyber-attacks? Are you able to offer the best security out there? Check out our latest webinar on cyber-security and find out how we can help.Video link